diff options
| author | glider@chromium.org <glider@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2011-01-26 13:02:27 +0000 |
|---|---|---|
| committer | glider@chromium.org <glider@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2011-01-26 13:02:27 +0000 |
| commit | 137d237f941001695681ed5628a20dec84cd3b86 (patch) | |
| tree | 70559e184761db404b76e7c45114a7f18355ad5c /base/pickle.cc | |
| parent | 088a29610c15b4a2fcb5f504f36c1f397cd3f42c (diff) | |
| download | chromium_src-137d237f941001695681ed5628a20dec84cd3b86.zip chromium_src-137d237f941001695681ed5628a20dec84cd3b86.tar.gz chromium_src-137d237f941001695681ed5628a20dec84cd3b86.tar.bz2 | |
Check that we've got a complete header before accessing its fields.
This patch was prepared by Evgeniy Stepanov (eugenis@chromium.org) and reviewed
at http://codereview.chromium.org/6353010/
BUG=70376
TEST=none
TBR=darin,willchan
Review URL: http://codereview.chromium.org/6347013
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@72634 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'base/pickle.cc')
| -rw-r--r-- | base/pickle.cc | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/base/pickle.cc b/base/pickle.cc index a05df28..e7d5768 100644 --- a/base/pickle.cc +++ b/base/pickle.cc @@ -406,6 +406,9 @@ const char* Pickle::FindNext(size_t header_size, DCHECK(header_size == AlignInt(header_size, sizeof(uint32))); DCHECK(header_size <= static_cast<size_t>(kPayloadUnit)); + if (static_cast<size_t>(end - start) < sizeof(Header)) + return NULL; + const Header* hdr = reinterpret_cast<const Header*>(start); const char* payload_base = start + header_size; const char* payload_end = payload_base + hdr->payload_size; |